It Takes the Whole Shop  ·  Chapter 4

Human Telephone

Sarah Park has a wall map in her office — pushpins, string, over two hundred sub-tier suppliers, mostly red pins. She flows down quality requirements; they get implemented in weeks. She flows down cybersecurity requirements using the same supply chain, the same people. They die at every handoff. The same requirement. Different encoding. Different outcome.

Sarah Park has been a supply chain director at a Tier 1 prime contractor for eleven years. She manages relationships with over two hundred sub-tier suppliers across the United States — machine shops, electronics assemblers, surface treatment facilities, specialty fastener manufacturers. Her suppliers are overwhelmingly small businesses: ten to eighty employees, family-owned or closely held, technically excellent at what they produce, and completely unprepared for the cybersecurity requirements her contracts now impose on them.

Sarah's office is on the third floor of a glass-and-steel building in the suburbs of a major East Coast city. On her wall is a map — actual pushpins, actual string — showing every active supplier in her chain. Red pins for suppliers not yet CMMC-certified. Green pins for the handful that are. The map is mostly red.

Sarah's job, among many other things, is to flow down requirements. When a new regulation, a new clause, or a new standard applies to the program, Sarah ensures it reaches every supplier in the chain. She has been flowing down quality requirements for her entire career. Quality clauses get implemented. The sub-tier shops understand them because quality is the language they speak every day.

In 2025, Sarah began flowing down CMMC requirements in earnest. The clause was clear. DFARS 252.204-7021 requires that contractors and subcontractors handling CUI achieve the appropriate CMMC level as a condition of contract performance. Sarah included the clause in every subcontract modification. She sent explanatory communications. She hosted a supplier webinar.

The result was a game of telephone — and by the time the message reached the shop floor, it was unrecognizable.

What Flows Down on Paper

Sarah's flowdown was technically correct. The contract language was accurate. The clause citations were right. The requirements were stated clearly. On paper, every sub-tier supplier in Sarah's chain received the same message: you must achieve CMMC Level 2 certification, which requires implementation of 110 security controls from NIST SP 800-171.

On paper, the signal was clean.

What Arrives on the Shop Floor

In practice, the signal degraded at every handoff.

At Precision Manufacturing — a forty-person shop in Milwaukee making brackets for Sarah's program — the contract modification arrived and was reviewed by the contracts administrator, a former machinist named Tom who handles purchasing and contract administration simultaneously. Tom read “cybersecurity” and “NIST SP 800-171” and “110 controls.” He highlighted the clause, flagged it as a new requirement, and forwarded it to his plant manager with a note: “New cyber requirement from the prime. Looks like we need to do something.”

The plant manager read Tom's note, opened the contract modification, read the first two paragraphs of the cybersecurity clause, and walked it to the IT person — who, at Precision Manufacturing, is Dave, a part-time contractor who comes in on Tuesdays and Thursdays.

Dave looked at 110 controls and said what any reasonable person would say: “This is going to be expensive. And I can't do it alone.” The plant manager asked how much. Dave guessed somewhere between $75,000 and $200,000. The plant manager filed it mentally under “things I'll deal with later” and went back to managing a production schedule that was already three weeks behind.

Six months later, nothing has changed. The clause is in the contract. The requirement is unfulfilled. The supplier looks the same as it did before the flowdown arrived.

Sarah's signal — clear, correct, contractually binding — arrived at Precision Manufacturing and died.

The Encoding Problem

Sarah has seen this pattern two hundred times. The flowdown goes out. The supplier acknowledges receipt. Six months later, the supplier's CMMC posture is unchanged. Sarah's team follows up. The supplier says they're “working on it.” Another six months passes. The contract option period approaches. The supplier is still not certified. Sarah faces a choice: hold the supplier to the requirement and lose a qualified manufacturing source, or waive the requirement and accept the risk.

Neither option serves the program. Both options are a direct consequence of the signal degrading at the handoff.

But here is what Sarah noticed, and what changed her understanding of the problem:

When Sarah flows down a quality requirement — a new inspection standard, a revised material specification, a customer quality clause — the sub-tier shops implement it within weeks. The quality manager reads the requirement, maps it to the existing quality system, identifies what needs to change, updates the relevant procedures, trains the affected personnel, and implements. The process is fast because the requirement arrives in a language the receiving end speaks. Quality requirements flow down into quality management systems. The infrastructure to carry them already exists.

When Sarah flows down a cybersecurity requirement, the sub-tier shop reads “cyber,” routes it to IT, and stalls. The requirement arrives in a language the receiving end does not speak. There is no infrastructure to carry it — or rather, the infrastructure exists but doesn't recognize the signal because the signal is encoded in the wrong frequency.

The same requirement. The same supply chain. The same people. Different encoding. Different outcome.

The Re-Encoding Experiment

In conversations with prime supply chain directors managing sub-tier CMMC adoption, a consistent pattern has emerged. When the requirement is transmitted as a cybersecurity obligation, the sub-tier stalls. When it is reframed as a quality discipline extension, the sub-tier acts. The following composite illustrates the dynamic.

Sarah tried something different with a cohort of sub-tier suppliers. Instead of flowing down the standard cybersecurity clause alone, she attached a supplementary communication — a one-page document that reframed the requirement:

“The CMMC Level 2 requirement asks you to implement a management system for information protection. The standard is NIST SP 800-171. If you already run a quality management system — AS9100, ISO 9001, or equivalent — you already practice most of the organizational disciplines this standard requires: access control, training management, document control, change management, incident response, evidence generation. The requirement is to extend your quality system to cover a new asset class: the controlled unclassified information that flows through your shop. Your quality manager should lead this effort. Your IT resources handle the technical controls — encryption, network architecture, endpoint protection. The management system is the envelope.”

The response was qualitatively different from anything the traditional cybersecurity-encoded flowdown had produced. Suppliers who had stalled for months under the cybersecurity framing began scheduling meetings with their quality managers within weeks. Shops that had been treating CMMC as an IT problem began mapping their existing quality system processes to the NIST 800-171 control families. Some began real implementation — not binder-building, but genuine process extension — within sixty days.

The difference was not the requirement. The requirement was identical. The difference was the encoding. The cybersecurity encoding said: “You need to build something you don't have.” The quality encoding said: “You need to extend something you already run.” The first produced paralysis. The second produced action.

Same requirement. Same people. Different language. Different outcome.

“I need a flowdown framework I can actually use. 'Here is the cybersecurity clause your contracts currently contain. Here is the same requirement expressed as a quality discipline.' That's the page I photocopy and bring to my VP of supply chain. That's the page that changes how my organization communicates with 200 sub-tier suppliers.”

— Prime Supply Chain Director, Tier 1

The signal arrived intact because the receiving end already had the infrastructure to carry it. The flowdown didn't degrade because, for the first time, it was transmitted in the frequency the shop floor already receives on.

The Re-Encoding Framework

For every prime supply chain director reading this chapter, here is the framework. Two columns. The left column is the language your contracts currently use. The right column is the same requirement, re-encoded in the frequency your sub-tier suppliers already receive on.

Current encoding (cybersecurity): “The Contractor shall implement cybersecurity practices in accordance with DFARS 252.204-7021 and achieve CMMC Level 2 certification.”

Re-encoded (quality discipline): “The Contractor shall extend its quality management system to cover information protection in accordance with NIST SP 800-171. The same disciplines currently applied to product quality — access control, training management, document control, change management, incident response, and evidence generation — shall be applied to the controlled unclassified information that flows through the Contractor's operations. The Contractor's quality function shall lead the management system extension. Technical controls (encryption, network architecture, endpoint protection) shall be provided by the Contractor's IT resources and integrated into the quality management system.”

Current encoding: “Subcontractor shall submit a System Security Plan.”

Re-encoded: “Subcontractor shall submit a System Security Plan developed as an extension of its quality manual, documenting how each NIST SP 800-171 requirement is implemented within the existing quality management system framework.”

Current encoding: “Evidence of compliance shall be maintained and available for review.”

Re-encoded: “Evidence of information protection practices shall be generated as a natural output of operating discipline within the quality management system — the same way training records, calibration certificates, and corrective action reports are generated today.”

This is not a change in legal requirements. The clause remains the same. The obligation remains the same. The re-encoding changes the transmission frequency so the signal arrives at a receiver that already has the infrastructure to carry it.

“'The defense supply chain already knows how to run quality management systems — they just need to extend them to protect information' is a workforce-readiness argument. It reframes the challenge from 'small businesses need cybersecurity help' to 'small businesses already have the infrastructure.' That's self-sufficiency language.”

— Congressional Staffer, Senate Armed Services Committee

The flowdown problem is not a compliance problem. It is an encoding problem. And the encoding has been wrong from the start.

From It Takes the Whole Shop by David Kirubi. Published by Qualified Capacity Press.

The characters and organizations depicted in the narrative chapters are composites drawn from interviews, practitioner conversations, and industry experience across the Defense Industrial Base. They are representative of patterns observed across the sector and do not portray specific individuals, companies, or organizations.

If it's not qualified, it's not capacity.™